Megalodon Campaign Backdoors GitHub Repositories via CI Workflow Compromise (Campaign)

Megalodon is a large-scale software supply-chain campaign that compromised thousands (~5,500) GitHub repositories by injecting malicious GitHub Actions workflows which exfiltrated CI/CD secrets, cloud credentials, SSH keys, OIDC tokens, Kubernetes and Terraform credentials, and also poisoned npm package releases; attackers used forged CI identities and likely leveraged compromised personal access tokens or deploy keys, employing both auto-executing workflows and dormant workflow_dispatch backdoors.